Blog article

News in your inbox

Channels

PSD2 APIs and the risk of fraud

10 January 2017

17

12

0

Card-not-present (CNP) fraud is a big problem and is getting worse. It is possible its severity and the way it is outpacing ecommerce growth have influenced the drafting of the PSD2 and EBA RTS and defining the required levels of customer authentication
and exemptions. Indeed, I attended an event recently where CNP fraud statistics were used to emphasise the need for payment security regulation in the PSD2.

To quantify the CNP fraud issue, based on a quick Google search, CNP fraud is growing at roughly 21% per year in Europe versus 13% per year growth in ecommerce. The value of European ecommerce is approximately €500 bn euros annually, and CNP fraud is about
€1bn. In contrast, European card-present fraud (at point-of-sale) is falling and is below €300m per year.

However, is it right to relate the fraud risks of CNP transactions to PSD2 payments, specifically PISP payments where customers initiate and push a payment directly from their bank account to a beneficiary (a retailer for example)?

I don’t believe so, or at least I don’t expect that fraud arising from PISP payments to mirror CNP fraud.

A card is inherently prone to fraud. The root-cause of card fraud is theft of card numbers and related data through for example, hacking (data breaches), interception or phishing – card numbers are easy to steal and can be used with comparative ease in CNP
ecommerce transactions, hence the growth in CNP fraud. The cards industry has layered ever-increasing sophistication onto cards in an attempt to make them secure in the digital world – for example, PCI, EMV, 3D-secure, dynamic CVV and tokenisation to protect
and/or disguise card data; and with some success, notably EMV at POS, but this does not get away from the weakness of the pull payment process where card numbers are in effect keys to the account.

In contrast, PISP payments are push payments, sent by the consumer to the beneficiary’s account. No credentials, no card numbers, no bank account numbers or other identity details are shared with the beneficiary (or anyone else) – PISP payments are inherently
much safer than card payments.

A good example of this is the iDeal ecommerce payment system in the Netherlands, where consumers push payments directly from their bank accounts to merchants. In operation for 10 years, iDeal is popular in the Netherlands and is the dominant online payment
method. I can’t find fraud figures published by iDeal, but I understand they are very low and the evidence points to this: the low cost to merchants of an iDeal payment indicates any fraud risk premium in the fee must be low, and iDeal has no chargeback mechanism,
also indicating that fraud is low (as a chargeback mechanism would undoubtedly have been implemented if reimbursing consumers for fraud is a regular occurrence).

The EBA has had to balance competing requirements in producing its RTS for PSD2, in particular the balance between user convenience and security. Feedback suggests the industry believes the balance is not right yet, particularly the low exemption limits
and the inability of merchants and PSPs to make their own risk-based judgements on security.

I don’t know how, or even if the EBA has used CNP fraud data to inform its decisions to formulate the PSD2 RTS for secure customer authentication, but I suspect that the alternative payments world of push payments is a more realistic, and very different
guide to fraud risks under PSD2 than the current realities of CNP fraud.

News in your inbox

Comments: (3)

UPDATE - The Dutch Payments Association has contacted me to confirm that iDEAL in fact had no fraud and strong growth last year “iDEAL was up 27,5% to 283 million payments in 2016. Conversion rate is 85-90% with zero fraud because of SCA. Following market
demand, iDEAL was released for C2C payments last December, so figures are expected to grow even faster than before.”

q.e.d

I have long been a fan of iDEAL and generally of online/digital push payments. With PSD2 their day has come. Banks planning to launch competitive payment initiation services under PSD2 should take a close look at iDEAL, it is an interesting solution and
points to the future of digital payments.

Market-driven use cases (bank, consumer and merchant demand) and ubiquity of the card-based payment method defines the landscape today while IDeal is a proven competitor of e-commerce and even face-to-face card payments. It could even be argued that it
is the model for PSD2 as defined by the EPC. Such schemes have their place and are being emboldened or redefined by the PSD2.

The scope of SCA was originally directed to PISP and was expanded to all electronic payments including e-comm, mobile and unattended. This change or lack of definition in scope raised many questions about how existing payment methods might be impacted by
PSD2 requirements.

Market forces around e-commerce are constantly optimizing profit, fraud risk and abandonment/conversion. The Dutch model is so much more than IDeal. It includes cultural norms, banking regulation, criminal code, enforcement, scale, and many other supporting
factors that may or may not exist in other countries. Card schemes have long dealt with this reality through its rules and technological advancements. Back in the day, card fraud was minuscule. The threats to IDeal is not fully known and it cannot be applied
to all markets or use-cases. If card numbers are the key to accounts, what are the bank account numbers found on practically every invoice in Europe?

PISP coupled with universally available direct debit/credit across SEPA opens a floodgate of possibilities and venerabilities. Wisely, Strong Customer Authentication, SCA, is required. How and when it is implemented and for which payment types requires
more thought and consideration to market economics. As PISP